In late 2022, Australia was shocked when one of the biggest Telcos, Optus, was hacked. During the data breach, someone hacked into Optus’ internal system and stole sensitive data about their customers. Although they have since deleted their post, they posted the leaked information online for anyone to view.
This article will examine how the breach happened and what Optus and the government are doing to ensure it never happens again.
How did the Optus leak happen?
The reasons for the Optus leak are threefold.
Firstly, their API (software that allows two applications to talk to each other) was open. This isn’t always a problem. However, it was in this case.
Because secondly, the Open API led to sensitive data, such as names, passwords, addresses, etc.
And thirdly, they had incrementing customer identifiers. Whenever a customer signs up on any online platform, their name is replaced with a number. However, while these numbers should be completely random, in the case of Optus, they were not. So, if I signed up as member 1234, and you signed up straight after, you’d be 1235.
This made it far easier for hackers to match customer numbers to names.
What was stolen, and why it matters?
A list of data stolen during the Optus breach includes.
- Names
- Dates of Birth
- Email Addresses.
- Driver’s license numbers
- Medicare cards.
- Passport details.
Thankfully, Optus said bank account details were not compromised after the breach. However, this would not have stopped the hackers from signing up for anything, pretending to be a random Optus customer. It leads to fraud, scams, and other sorts of online mischief.
How it impacted Optus
After the hack, Optus set aside $140m in customer remediation. It was their attempt to do everything they could to lose as few customers as possible. Optus shared the $ 140 million between 10 million customers, which works out at only $14 per customer.
The day after, Optus’ parent company Singtel, saw its share price drop by 1.12%. But it has recovered since then.
10% of customers left within a month of the breach. And 56% are looking elsewhere, likely to move when their current contract ends.
What changes has Optus made?
Since the data breach, Optus has worked with Deloitte (a company of global security experts) to review their practices and figure out why hackers could get through. Optus has promised to work with Deloitte to strengthen the security of all data.
There are also other things Optus have either done or announced they will do.
- Share what they learn so other Telcos don’t get hacked.
- Offering credit and ID monitoring.
- Helpful tools in the app.
- Making better digital IDs.
- Investing in educating people on how to avoid similar hacks.
At this stage, it’s difficult to tell whether Optus have a newfound commitment to safety.
Or if they’ve been caught with egg on their face and are trying to hide their guilt. What I’m saying is that I wonder if this is a publicity stunt.
What is the government doing to protect Australians from cyber-attacks?
- Firstly, the Australian federal government is in the process of creating a new law that will allow Telcos to share government-issued ID documents with banks. This will enable banks to use enhanced monitoring for affected customers.
- They are also investing more in fraud detection and reporting. So, anyone affected by the breach should get the help they need before things go too far.
In October 2022, the ACCC threatened to sue Optus for $ 2.2 million. But today, this court process has yet to go through.
Is this a failure of Optus? Or was the hacker very clever?
The answer is both. Optus failed to meet its security duties to its customers. Putting all their information on a database with an open API, and numbering the customers as they did, was foolish. And that’s not just our opinion; since the breach, the government, the ACCC, and several independent review bodies have slammed Optus.
Cyber security is a cat-and-mouse game. Hackers and security experts are constantly trying to stay one step ahead. With the Optus hack, the mice managed to outwit the cat.
Conclusion
The Optus hack was one of the biggest Australian technology stories of 2023 and an eye-opener, the ramifications of which are still being felt. The nature of telecommunications companies is that they store the personal private data of millions of customers, including all the critical elements – ID, Payment Details, and Address Information. On the face of it, Optus didn’t meet its obligations to customers.
Considered more deeply, however, what the hack reveals is even more troubling. Telcos have a structural responsibility to act in ways that secure their networks and identify threats (ideally work to mitigate threats) which appear on their networks. A straightforward example is a denial of service attack, which may be perpetrated on an important Cyber Security asset – say a bank. The bank, in this situation, is a customer of telecommunications networks and may act to defend itself. However, telcos are uniquely placed to identify and assist in dealing with the occurrence.
To make a technologically inadequate analogy – What happened to Optus was that it had a truck full of money driving around Australia – which some clever thieves robbed. However, Optus (and other telcos) build, manage and run the entire road system in the country. You could argue that they have an obligation to safeguard every company’s truck full of money.
With many Australian business leaders calling for a combined government-led approach to dealing with the ever-increasing Cyber Security risks we face, one wonders whether telcos should take the lead and, with the financial support of the government, put in place measures to secure our ‘streets’.